SECURITY-3017

jonesbusy · Kevin-CB · commit 4cbc48657c21 · 2023-05-15T10:40:00.000+02:00
diff --git a/src/main/java/org/jenkinsci/plugins/ansible/AbstractAnsibleInvocation.java b/src/main/java/org/jenkinsci/plugins/ansible/AbstractAnsibleInvocation.java
@@ -121,7 +121,7 @@ public ArgumentListBuilder appendExtraVars(ArgumentListBuilder args) {
         if (extraVars != null && ! extraVars.isEmpty()) {
             for (ExtraVar var : extraVars) {
                 args.add("-e");
-                String value = envVars.expand(var.getValue());
+                String value = envVars.expand(var.getSecretValue().getPlainText());
                 if (Pattern.compile("\\s").matcher(value).find()) {
                     value = Util.singleQuote(value);
                 }
diff --git a/src/main/java/org/jenkinsci/plugins/ansible/ExtraVar.java b/src/main/java/org/jenkinsci/plugins/ansible/ExtraVar.java
@@ -18,42 +18,53 @@
 import hudson.Extension;
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
+import hudson.util.Secret;
+
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 
 public class ExtraVar extends AbstractDescribableImpl<ExtraVar> {
 
     public String key;
 
-    public String value;
+    public transient String value;
+
+    public Secret secretValue;
 
-    public boolean hidden;
+    public boolean hidden = true;
 
     @DataBoundConstructor
     public ExtraVar() {
     }
 
+    protected Object readResolve() {
+        if (value != null) {
+            this.setSecretValue(Secret.fromString(value));
+        }
+        return this;
+    }
+
     @DataBoundSetter
     public void setKey(String key) {
         this.key = key;
     }
 
     @DataBoundSetter
-    public void setValue(String value) {
-        this.value = value;
+    public void setHidden(boolean hidden) {
+        this.hidden = hidden;
     }
 
     @DataBoundSetter
-    public void setHidden(boolean hidden) {
-        this.hidden = hidden;
+    public void setSecretValue(Secret value) {
+        this.secretValue = value;
     }
 
     public String getKey() {
         return key;
     }
 
-    public String getValue() {
-        return value;
+    public Secret getSecretValue() {
+        return this.secretValue;
     }
 
     public boolean isHidden() {
diff --git a/src/main/java/org/jenkinsci/plugins/ansible/jobdsl/context/ExtraVarsContext.java b/src/main/java/org/jenkinsci/plugins/ansible/jobdsl/context/ExtraVarsContext.java
@@ -6,6 +6,8 @@
 import javaposse.jobdsl.dsl.Context;
 import org.jenkinsci.plugins.ansible.ExtraVar;
 
+import hudson.util.Secret;
+
 /**
  * @author pawbur (Pawel Burchard)
  */
@@ -15,7 +17,7 @@ public class ExtraVarsContext implements Context {
     public void extraVar(String key, String value, boolean hidden) {
         ExtraVar extraVar = new ExtraVar();
         extraVar.setKey(key);
-        extraVar.setValue(value);
+        extraVar.setSecretValue(Secret.fromString(value));
         extraVar.setHidden(hidden);
         this.extraVars.add(extraVar);
     }
diff --git a/src/main/java/org/jenkinsci/plugins/ansible/workflow/AnsiblePlaybookStep.java b/src/main/java/org/jenkinsci/plugins/ansible/workflow/AnsiblePlaybookStep.java
@@ -38,6 +38,7 @@
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.ListBoxModel;
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.ansible.AnsibleInstallation;
@@ -383,10 +384,10 @@ private List<ExtraVar> convertExtraVars(Map<String, Object> extraVars) {
                 var.setKey(entry.getKey());
                 Object o = entry.getValue();
                 if (o instanceof Map) {
-                    var.setValue(((Map)o).get("value").toString());
+                    var.setSecretValue((Secret)((Map)o).get("value"));
                     var.setHidden((Boolean)((Map)o).get("hidden"));
                 } else {
-                    var.setValue(o.toString());
+                    var.setSecretValue((Secret)o);
                     var.setHidden(false);
                 }
                 extraVarList.add(var);
diff --git a/src/main/resources/org/jenkinsci/plugins/ansible/AnsibleAdHocCommandBuilder/config.jelly b/src/main/resources/org/jenkinsci/plugins/ansible/AnsibleAdHocCommandBuilder/config.jelly
@@ -71,11 +71,11 @@
           <f:entry title="${%Key}" field="key">
             <f:textbox  clazz="required" />
           </f:entry>
-          <f:entry title="${%Value}" field="value">
-            <f:textbox clazz="required" />
+          <f:entry title="${%Value}" field="secretValue">
+            <f:password clazz="required" />
           </f:entry>
           <f:entry title="${%Hidden variable in build log}" field="hidden">
-            <f:checkbox default="false" />
+            <f:checkbox default="true" />
           </f:entry>
           <f:entry>
             <div align="right" class="repeatable-delete show-if-only">
diff --git a/src/main/resources/org/jenkinsci/plugins/ansible/AnsiblePlaybookBuilder/config.jelly b/src/main/resources/org/jenkinsci/plugins/ansible/AnsiblePlaybookBuilder/config.jelly
@@ -80,11 +80,11 @@
           <f:entry title="${%Key}" field="key">
             <f:textbox  clazz="required" />
           </f:entry>
-          <f:entry title="${%Value}" field="value">
-            <f:textbox clazz="required" />
+          <f:entry title="${%Value}" field="secretValue">
+            <f:password clazz="required" />
           </f:entry>
           <f:entry title="${%Hidden variable in build log}" field="hidden">
-            <f:checkbox default="false" />
+            <f:checkbox default="true" />
           </f:entry>
           <f:entry>
             <div align="right" class="repeatable-delete show-if-only">
diff --git a/src/test/java/org/jenkinsci/plugins/ansible/jobdsl/JobDslIntegrationTest.java b/src/test/java/org/jenkinsci/plugins/ansible/jobdsl/JobDslIntegrationTest.java
@@ -64,7 +64,7 @@ public void shouldCreateJobWithPlaybookDsl() throws Exception {
         assertThat("disableHostKeyChecking", step.disableHostKeyChecking, is(false));
         assertThat("additionalParameters", step.additionalParameters, is("params"));
         assertThat("extraVar.key", step.extraVars.get(0).getKey(), is("key"));
-        assertThat("extraVar.value", step.extraVars.get(0).getValue(), is("value"));
+        assertThat("extraVar.value", step.extraVars.get(0).getSecretValue().getPlainText(), is("value"));
         assertThat("extraVar.hidden", step.extraVars.get(0).isHidden(), is(true));
 
     }
@@ -93,7 +93,7 @@ public void shouldCreateJobWithLegacyPlaybookDsl() throws Exception {
         assertThat("disableHostKeyChecking", step.disableHostKeyChecking, is(true));
         assertThat("additionalParameters", step.additionalParameters, is("params"));
         assertThat("extraVar.key", step.extraVars.get(0).getKey(), is("key"));
-        assertThat("extraVar.value", step.extraVars.get(0).getValue(), is("value"));
+        assertThat("extraVar.value", step.extraVars.get(0).getSecretValue().getPlainText(), is("value"));
         assertThat("extraVar.hidden", step.extraVars.get(0).isHidden(), is(true));
 
     }

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ public ArgumentListBuilder appendExtraVars(ArgumentListBuilder args) {`
`121`	`121`	`if (extraVars != null && ! extraVars.isEmpty()) {`
`122`	`122`	`for (ExtraVar var : extraVars) {`
`123`	`123`	`args.add("-e");`
`124`		`- String value = envVars.expand(var.getValue());`
	`124`	`+ String value = envVars.expand(var.getSecretValue().getPlainText());`
`125`	`125`	`if (Pattern.compile("\\s").matcher(value).find()) {`
`126`	`126`	`value = Util.singleQuote(value);`
`127`	`127`	`}`